The long-awaited General Data Protection Regulation (GDPR) came in on 25 May last year like a lion, and we all expected the data protection police to kick down the doors of unsuspecting dental practices and seize computers and mobile phones in search of that patient record that we forgot to get consent to hold.
Funny enough, that didn’t seem to happen! But before we forget it ever existed and carry on as before, there are some points to note.
The Data Protection Commission (DPC) is very clear that data privacy legislation applies to any organisation that holds personal data and it is mandated to ensure that every organisation complies.
You are likely to come to the DPC’s attention as a result of a disgruntled patient or parent using the legislation as a weapon against you, or as a result of a malicious IT attack that you are obliged to report. However, if you can demonstrate that you and your staff are accountable for the personal data you hold – and have taken reasonable steps to meet your obligations – you stand a better chance of keeping those doors on their hinges.
Gerry, my 73-year-old neighbour, brought his 86-year-old friend to a GP appointment. On returning, he asked if she was still in surgery and was told that, not being family, new GDPR rules prevented them from disclosing her location to him.
Now, Gerry’s not so well up on GDPR, so he reminded the receptionist that he was the same grey-haired gentleman who brought her in an hour earlier. He was again told that GDPR says no! Fortunately, soon afterwards, Gerry’s elderly friend emerged from the bathroom and all was well again.
It’s all about protection
I met with an assistant commissioner with the DPC last year, and he explained that his office embraces pragmatism but will pursue complacency relentlessly.
Clearly, that GP practice missed the point entirely. GDPR is about protecting people. The legislation is not prescriptive and therefore leaves flexibility with organisations to apply it in ways that allow normal business to continue (avoiding Gerry wandering the streets in search of a missing elderly friend), but all the while ensuring that the right and freedoms of the data subject are adequately protected in accordance with the legislation itself.
It’s important to get the balance right. In working with dental and clinical practices over the past year, Proliance Data Protection Services has concluded that developing a pragmatic but compliant and effective approach to data privacy ought not to be difficult or time consuming.
Until next time
This four-part series of articles on practical data privacy compliance for dentists will focus on a different practical topic each month, including:
- Practical GDPR guidelines relating to children’s data and consent
- Relationships with practice owners, associates and providers
- Computing essentials to avoid data breaches.
Kevin Cahill is director of Proliance Data Protection Services. www.proliance.ie.
This article was first published in the June 2019 issue of Irish Dentistry. Read more articles like this with a magazine subscription. Click here to subscribe or call 01923 851 777. Get in touch via Twitter @IrishDentistry or facebook.com/IrishDentistry.